Out-Law News 1 min. read

Internet companies could be forced to 'share encryption keys' to enable EU surveillance

Technology companies could be forced to "share encryption keys" with law enforcement agencies under new plans being considered by EU law makers.

A leaked Council of Ministers discussion paper, published on the Statewatch website (14-page / 57KB PDF) and authored by the EU's counter-terrorism coordinator Gilles de Kerchove, said new EU rules could help with the "lawful interception" of communications.

"Since the Snowden revelations, internet and telecommunications companies have started to use often de-centralised encryption which increasingly makes lawful interception by the relevant national authorities technically difficult or even impossible," de Kerchove said, according to the leaked paper.

"The [European] Commission should be invited to explore rules obliging internet and telecommunications companies operating in the EU to provide under certain conditions as set out in the relevant national laws and in full compliance with fundamental rights access of the relevant national authorities to communications (i.e. share encryption keys)," he said.

The plans were scheduled to be considered by a Council committee that looks into improving operational cooperation on internal security last week and could be considered at a meeting of justice and home affairs ministers from across the EU at a two day meeting in Riga, Latvia, on Thursday and Friday this week.

Earlier this month UK prime minister David Cameron outlined his intention to legislate to ensure law enforcement agencies could obtain lawful access to encrypted communications.

In his paper, de Kerchove also called for the European Commission to "deepen the engagement with the internet companies". He said there needs to be "a stronger joint response" from technology companies, the EU and individual EU countries to better restrict "the circulation of terrorist material online".

De Kerchove said EU countries should set up an equivalent body to the UK's Counter-Terrorism Internet Referral Unit (CTIRU). CTIRU identifies terrorist and extremist content on social media platforms and flags them to operators of those platforms. Since February 2010, internet companies, including social media sites, have "removed 72,000 pieces of terrorist content following referrals from CTIRU because they have agreed that the content represents a breach of their rules", de Kerchove's paper said.

The counter-terrorism coordinator said EU policy makers should also consider whether Europol could play a similar role in "either flagging or facilitating the flagging of content which breaches the platforms’ own terms and conditions".

There is also a "crucial and urgent need" to establish a new 'passenger name record' legal framework, which would require airlines to share data about passengers who board their flights to and from the EU with law enforcement bodies, de Kerchove said. He added that new EU data retention laws could be drafted by the European Commission soon. In April last year, the Court of Justice of the EU ruled that the now-invalid Data Retention Directive disproportionately infringed on privacy rights.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.